The Washington PostDemocracy Dies in Darkness
The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Cyber experts work to write code in safer languages

The Cybersecurity 202

A newsletter briefing on cybersecurity news and policy.

Welcome to The Cybersecurity 202! Are you kidding me? What’s our T-minus countdown to our inevitable “Terminator”-emulating dystopia?

Reading this online? Sign up for The Cybersecurity 202 to get scoops and sharp analysis in your inbox each morning.

Below: The United States and India launch a new cooperation on technology, and Google Fi says its customers were hacked. First: 

There’s momentum to address a kind of computer code that creates major cyber vulnerabilities

Tech companies estimate that it accounts for up to 65 percent of all bugs. At least two major U.S. cybersecurity agencies have warned of its risks. But chances are that unless you’re a cybersecurity professional or policymaker, you might not have even heard of it.

It could even make your eyes glaze over after seeing its name: memory-safety error.

But there’s growing momentum to address the issue, from both inside and outside the government, even if a sea change might be years away.

The bugs can be potentially catastrophic, leading to malware and cyberattacks that can devastate organizations like hospitals, Josh Aas, who’s leading a project to promote memory safety in critical infrastructure, told me. “I’m really glad it’s getting this kind of attention.”

What is it, and what are the risks?

Here’s the fundamental problem: Memory has to be allocated for computer code to carry out instructions, and some older programming languages, like the decades-old C and C++ languages, allow developers to move that memory around manually.

“That freedom also creates risk, allowing a variety of bugs,” an Atlantic Council paper explained last year. “These issues, called memory-safety errors, can result from simple typos and forgotten lines of code or from complex memory structures and unforeseen interactions.”

By contrast, newer programming languages — such as Python, Java and Rust — allocate the memory automatically. Many of them either virtually eliminate memory-safety errors or are designed to make them impossible.

An example of the potential ramifications: A memory-safety error was involved in the 2017 worldwide ransomware WannaCry attack, which the U.S. government blamed on North Korean hackers.

“By exploiting these types of memory issues, malicious actors — who are not bound by normal expectations of software use — may find that they can enter unusual inputs into the program, causing memory to be accessed, written, allocated, or deallocated in unexpected ways,” the National Security Agency said in a November cybersecurity alert. “In some cases, a malicious actor can exploit these memory management mistakes to access sensitive information, execute unauthorized code, or cause other negative impacts.”

Google, for its part, said in a December blog post that memory-safety errors accounted for 86 percent of “critical” (the worst) vulnerabilities in its Android operating system in 2022.

What’s changing, and why?

Besides the NSA, lawmakers and officials from the Cybersecurity and Infrastructure Security Agency have begun emphasizing memory safety. Congress recently included a provision in a spending bill asking the National Cyber Director Chris Inglis’s office to investigate memory safety — and then brief key lawmakers within six months.

Consumer Reports jumped into the fray last week, too, with a study on the future of memory-safe languages.

It’s grown easier to make the arguments for memory-safe code, Aas said, as newer programming languages have proven they can be simultaneously fast and safer.

“It used to be that when you used a memory-safe language, you would take a performance hit in exchange for that safety,” said Aas, executive director of the Internet Security Research Group and head of the affiliated Prossimo project that’s pushing for memory-safe code in critical software. “Memory safety is becoming a very popular topic today, I think, in large part because we’re not faced with that choice anymore.”

Additionally, memory-safe languages once weren’t as flexible, said Dan Lorenc, CEO of software supply chain company Chainguard.

“There have always been memory-safe programming languages, but they weren’t general-purpose enough,” Lorenc, whose company has worked to address memory-safety issues, told me. “They weren’t able to be used in every situation. And more importantly, they weren’t able to be used in the lower-level operations. … Only in the last couple of years has it really become possible to do everything in memory-safe languages.”

The federal government can help by continuing to raise awareness, Lorenc said.

But it also has significant power. As one of the largest buyers of software on the planet, it can apply market pressure by making it clear that agencies will require or prefer memory-safe language products, he said.

How long before things improve?

There are signs that memory-safe language is already making a difference. In its December blog post, Google said it has seen results by shifting its focus to memory-safe code, with annual memory-safety vulnerabilities in its Android operating system dropping from 223 in 2019 to 85 last year.

“While correlation doesn’t necessarily mean causation, it’s interesting to note that the percent of vulnerabilities caused by memory safety issues seems to correlate rather closely with the development language that’s used for new code,” Android security engineer Jeffrey Vander Stoep wrote.

The Prossimo project might not hit its goal of getting the most critical software to convert to memory-safe languages for another five to 10 years, Aas said.

Lorenc said that perhaps “we can see significant progress in the next year.” He added that the Prossimo project completed one of its smaller goals years ahead of schedule. “It’s optimistic, but things are moving way faster than anyone thought already,” he said.

The keys

Russian hackers target Ukrainian energy sector with new malware

One of the most infamous Russian hacking groups, Sandworm, deployed a new data-wiping malware against a Ukrainian energy company last October while Russian military forces launched missiles against the country’s energy infrastructure, researchers at the Slovakian cybersecurity company ESET said in a report released Tuesday. 

“While we are not able to show those events were coordinated, it suggests that Sandworm and military forces of Russia have related objectives,” the researchers wrote. 

The researchers named the new malware strain “NikoWiper.” Hackers based the wiper off a Microsoft tool used to delete files known as SDelete. ESET’s report mentioning the new wiper comes after the company last week identified another attack by Sandworm that took place on Jan. 25 and targeted the Ukrainian public sector. 

In the year since the war in Ukraine began, Russian hackers have targeted Ukrainian systems alongside larger armed attacks, including by knocking Ukrainian government websites and banks offline the day before Russia’s invasion. 

Google Fi says hackers accessed customers’ information

Google Fi, Google’s cell network provider, on Monday told customers in an email that it had experienced a data breach and that hackers were able to access millions of customers’ information, including phone and SIM numbers, TechCrunch’s Carly Page reports. 

Google said customers’ personal data — such as credit card information, passwords and the contents of text messages or calls — had not been stolen, according to the email, which was obtained by TechCrunch. 

“The timing of the notice — and the fact that Google Fi uses a combination of T-Mobile and U.S. Cellular for network connectivity — suggests the breach is linked” to an incident at T-Mobile that occurred two weeks ago, Page writes. That incident allowed someone to maliciously obtain nearly 37 million customers’ personal data, including billing addresses, birth dates and T-Mobile account details, T-Mobile said. 

U.S. and India launch high-level defense and tech initiative

The United States and India on Tuesday officially established an initiative on critical and emerging technologies, known as iCET, to promote joint production of defense equipment — including military jet engines, long-range artillery and armored infantry vehicles, The Post’s Ellen Nakashima reports. 

The action comes after President Biden and Indian Prime Minister Narendra Modi in May committed to building such a relationship. National security adviser Jake Sullivan told reporters on Tuesday that it would serve both nations’ strategic interests amid Russia’s invasion of Ukraine and clashes with common adversaries like China. 

But, he said, “a big part of the story is fundamentally about a bet on high tech and an industrial innovation policy. That’s at the core of the president’s entire approach to his presidency. So the China-Russia factors are real, but so is the idea of building a deep democratic ecosystem with high technology.” 

Global cyberspace

British government minister told council to keep quiet after ransomware attack (The Record)

TikTok flip-flop: Department of Australian state bans, then unbans, social media app over spy fears (The Age )

How surveillance tech helped protect power — and the drug trade — in Honduras (Coda Story)

Cyber insecurity

Ransomware attack on Indianapolis Housing Agency leaks sensitive info on 200,000 residents (The Record )

Ransomware attack closes schools in Nantucket (CNN)

Threat campaign abuses Microsoft's verified publisher status to proliferate malicious OAuth apps, target business execs (SC Magazine)

Securing the ballot

GOP report shows plan to ramp up focus on disproven election fraud claims (Amy Gardner and Isaac Arnsdorf)

National security watch

New US ransomware strategy prioritizes victims but could make it harder to catch cybercriminals (CNN)

Space Force chief concerned about ‘backdoor’ for attacking satellite communications (DefenseScoop)

Government scan

Newest software cybersecurity rule draws jeers from agencies (Bloomberg Government )


  • U.S. cyber ambassador Nathaniel Fick speaks at an event hosted by the German Marshall Fund on Thursday at 10:30 a.m. 
  • California’s Privacy Protection Agency Board will meet Thursday to discuss possible action on proposed cybersecurity regulations. 

Secure log off

Thanks for reading. See you tomorrow.